Australian organisations are rapidly adopting AI agents for sensitive security tasks, but a new study suggests many may lack the governance and recovery capability to manage the risks if those systems are compromised.
Research published by Semperis, based on a global survey of 1,100 organisations across multiple industries, examined AI’s impact on the attack surface of identity systems including Active Directory, EntraID and Okta. In Australian results, 95% of organisations said they already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access.
The study found that 80% of Australian organisations believe AI will increase attacks on identity infrastructure. It also reported that 92% of respondents said AI is installed on at least some local machines with access to SSH and encryption keys.
On recovery confidence, the report said only 21% of Australian respondents were “very confident” they could regain control of identity systems if AI exposed admin credentials, compared with 32% globally. It added that 10% of Australian organisations said they were not confident they could regain control in that scenario.
The study also pointed to governance gaps for what it described as AI-related non-human identities. Only 52% of Australian organisations said their AI identities are fully registered, authenticated and authorised in a formal system, compared with 65% globally. Among organisations that track AI identities, 62% said they use the same system as for human identities, while 38% said they use a separate system.
“The accelerated use of AI is introducing a bevy of new agents, each with its own non-human identity (NHI) throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs,” said Alex Weinert, Semperis chief product officer.
Gerry Sillars, Semperis vice president of APJ, said Australian organisations were behind international peers in governing AI-related identities and expressed less confidence in regaining control if admin credentials were exposed. “It is clear that AI is changing the identity threat landscape faster than Australian organisations can adapt,” Sillars said.
The report also highlighted the use of AI agents in helpdesk contexts. It said 24% of surveyed Australian organisations already use AI agents to manage security-related help desk tickets including password resets and VPN access, and 69% intend to do so within the next year.
Commenting on the findings, Ten Eleven Ventures partner Grace Cassy said: “What is striking about the Semperis AI Study is not just how quickly AI is being integrated into identity systems but how unprepared many organisations are to recover when things go wrong.”
Semperis said 79% of respondents indicated AI identity governance is a priority in the coming months, and listed practices such as treating agents as non-human identities, enforcing least-privilege access, separating trust boundaries where appropriate, monitoring for anomalous agent behaviour, and ensuring identity systems can be recovered to a trustworthy state following a breach.
